Odds are that few execs beyond security chiefs at big outfits know about the guidelines. A collection of crisis management pointers first assembled 10 years ago by the nonprofit National Fire Protection Assn., the 46-page set of guidelines was dusted off in 2004 by the 9/11 Commission. The commission urged that the recommendations "should define the standard of care owed by a company to its employees and the public for legal purposes." More recently, Congress pressed the Homeland Security Dept. to promote the recommendations as well. The agency since then has been urging such preparedness with public-interest advertising and discussion on such Web sites as www.ready.gov.
The guidelines are hardly burdensome. Companies must anticipate problems, update response plans, and train their staffs. But many may not be doing enough, says Mathiason. And although the standard is voluntary, experts warn that if a plaintiff's lawyer convinced a jury that a company's preparations fell short, it could be vulnerable to litigation after a disaster. "I would not like to be in a defendant's shoes in that case," says Aaron D. Twerski, dean of Hofstra University School of Law.
Moreover, some courts have suggested that once-unthinkable threats must now be planned for. Four years after a 1999 shooting at a Jewish summer camp in California, an appellate court ruled that the camp was not liable but also warned that events such as September 11 "have instilled public fear of criminal acts never before imagined." And, while litigation is still pending over the New York attacks, Federal Judge Alvin K. Hellerstein in late 2003 found that the plane hijackings were "within the class of foreseeable hazards."
Truth is, complying with the standard is manageable. Companies need to sketch out what to do if a disaster befalls a plant or office. Then they must answer questions such as: How would they evacuate or protect their people? Who staffs the internal response teams? What are the emergency contacts? What communications plans are in effect? Are supplies and shelter available? And do staffers practice responses to disasters regularly?
Soon after September 11, plenty of companies, especially big or particularly vulnerable ones and those that do business with the government, fashioned detailed response plans. Still others have long kept them handy to comply with Occupational Safety & Health Administration demands or other safety requirements. So long as they keep their plans current and their staffs updated, they're probably complying with the Homeland Security recommendations.
For those that have done little or gotten lax about updating plans, however, watch out. The last thing a company would need after a terrorist attack would be a bunch of lawsuits and an unsympathetic judge. But because of the little-noticed section of the September 11 report, that's exactly what could happen. By Joseph Weber in Chicago